How can I force a facebook access token to expire?

30
votes

I'm doing some testing in the wake of offline_access's expiration. I think that since all interactions my app makes with Facebook are done via my servers and are user initiated by user activity at several application end points (phone apps, website, desktop application) I can use an Application Access Token to publish to the wall on behalf of my users, assuming the application is still authorized even if the access token I requested during authorization is expired. That seems to be what the documentation here is implying with

Authenticating as an App allows you to obtain an access token which allows you to make request to the Facebook API on behalf of an App rather than a User. [...] App access tokens can also be used to publish content to Facebook on behalf of a user who has granted a publishing permission to your application.

App Access Tokens generally do not expire. Once generated, they are valid indefinitely.

However, I need to test this. So I need to expire some tokens. I tried using official test users which you create in the developer site, that can only interact with your app's sandbox and other users in it, but their tokens seem to be perpetually valid for one hour.

So I tried using a real facebook user that I created for this, and changing the password which I'd read is supposed to expire the token. But it doesn't. The token still reports valid in the debugger and I can still use it for many things, including publishing to my wall. I can even continue to use this token after logging out of the facebook site completely.

What gives? How can I get an expired access_token so that I can test my Application Access Token?

Edit: I think it's going to work. I created my application access token and used the CLIENT-SIDE flow to get an user access token that only lasted 2 hours, so I could actually just wait for it to expire. After the expiration I used the Graph API explorer to try to post a status update, which failed telling me when my token had expired. I then tried the same action using my application token which succeeded.

8
facebookfacebook-graph-api
Try removing the app in the user settings and reinstalling it. You should get a new tokenphwd
Would the old token then behave as expired, deauthorized, or invalid? A new token would just act exactly the same, wouldn't it? It'd be good for 60 days and probably wouldn't expire when I changed password either?Sloloem
@phwd apparently doing that makes the old token return as "Session does not match current stored session. This may be because the user changed the password since the time the session was created or Facebook has changed the session for security reasons." The app token does work, but I don't know if it's because there's a valid user token or if it's the fact the user authorized the app at all.Sloloem

8 Answers

15
votes

This should work, check below.

Invalidating (aka logout) your token; make HTTP GET call to that endpoint;

https://api.facebook.com/restserver.php?method=auth.expireSession&format=json&access_token=<access_token>

p.s. my answer is from 2012... Since then, Facebook API has evolved with many major changes. It is more reliable to read the up2date Facebook developer doc

34
votes

But it says right there in the documentation, just after the last line you quoted:

App Access Tokens generally do not expire. Once generated, they are valid indefinitely. However, if you need to invalidate your App Access Token for some reason, you can reset your App Secret in your app's settings. Once your App Secret has been reset, you will need to go through the steps below to generate a new app access token.

So for your testing purposes reset the app secret key.

Edit

Oh, I completely misunderstood you.
It's easier to invalidate a user token, you just use the me/permissions connection with a DELETE request.

That will remove the app for the logged in user.
You can try that from the explorer tool, just select DELETE on the select box left to the path field.

10
votes

Like @guleryuz response, but in pratical way:

Given a valid access_token ${token}:

$ curl -X GET "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"data":[{"permission":"user_friends","status":"granted"},{"permission":"email","status":"granted"},{"permission":"manage_pages","status":"granted"},{"permission":"business_management","status":"granted"},{"permission":"pages_messaging","status":"granted"},{"permission":"pages_messaging_phone_number","status":"granted"},{"permission":"public_profile","status":"granted"}]}

Do revoke request:

$ curl -X DELETE "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"success":true}

Verify revoke:

$ curl -X GET "https://graph.facebook.com/v2.7/me/permissions?access_token=${token}"
{"error":{"message":"Error validating access token: The session was invalidated explicitly using an API call.","type":"OAuthException","code":190,"error_subcode":466,"fbtrace_id":"E2UhrNzyyzZ"}}
5
votes

The answers posted here are outdated. To force your token to expire: log in to your facebook account, go to "Settings", then click "Apps" on the left hand side

Settings selection

Remove the app:

enter image description here

That will force the token to expire.

3
votes

Another possible solution is to use a test account with a customized expiration time:

enter image description here

enter image description here

2
votes

For view permissions

https://graph.facebook.com/v2.7/{userID}/permissions?access_token={acessToken}

For delete permissions add "method=delete" before &access_token=

https://graph.facebook.com/v2.7/{userID}/permissions?method=delete&access_token={acessToken}
1
votes

you can try replicating the behavior by changing your facebook password

-3
votes

In this url https://www.facebook.com/connect/login_success.html#access_token="access_token" &expires_in=1.minutes in the place of "access_token" enter your access token without quotes and the access token will expire in 1 minute.